From 8e0a030085b0a6cbd64f01b886299ad970ec03c9 Mon Sep 17 00:00:00 2001 From: Dmitriy Pleshevskiy Date: Sat, 1 Jun 2024 03:42:04 +0300 Subject: [PATCH] modules/yubikey: add support of yubico pam --- hosts/asus-gl553vd/configuration.nix | 6 +- modules/nixos/configs/lockscreen/i3lock.nix | 2 +- modules/nixos/configs/yubikey.nix | 75 ++++++++++++++++----- 3 files changed, 63 insertions(+), 20 deletions(-) diff --git a/hosts/asus-gl553vd/configuration.nix b/hosts/asus-gl553vd/configuration.nix index 14ccd19..9da537f 100644 --- a/hosts/asus-gl553vd/configuration.nix +++ b/hosts/asus-gl553vd/configuration.nix @@ -7,7 +7,11 @@ ./users ]; - local.yubikey.enable = true; + local.yubikey = { + enable = true; + serial = "28058247"; + unplug.enable = true; + }; ################################################################################ # Services diff --git a/modules/nixos/configs/lockscreen/i3lock.nix b/modules/nixos/configs/lockscreen/i3lock.nix index 6dc39ac..a5e9eab 100644 --- a/modules/nixos/configs/lockscreen/i3lock.nix +++ b/modules/nixos/configs/lockscreen/i3lock.nix @@ -11,7 +11,7 @@ in config = lib.mkIf cfg.enable { programs.i3lock = { enable = true; - u2fSupport = lib.mkDefault config.local.yubikey.enable; + u2fSupport = lib.mkDefault config.security.pam.u2f.enable; }; programs.xss-lock.enable = true; diff --git a/modules/nixos/configs/yubikey.nix b/modules/nixos/configs/yubikey.nix index b0ae12e..c0b16dc 100644 --- a/modules/nixos/configs/yubikey.nix +++ b/modules/nixos/configs/yubikey.nix @@ -1,32 +1,71 @@ { config, lib, pkgs, ... }: -let cfg = config.local.yubikey; in +let + cfg = config.local.yubikey; + + control = if cfg.multi-factor.enable then "required" else "sufficient"; +in { options.local.yubikey = with lib; { enable = mkEnableOption "yubikey"; + + serial = mkOption { + type = types.nullOr types.str; + default = null; + }; + + multi-factor.enable = mkEnableOption "multi-factor" // { default = true; }; + + unplug = { + enable = mkEnableOption "Do action when a Yubikey is unplugged"; + model = mkOption { + type = types.str; + default = "407"; + }; + command = mkOption { + type = types.str; + default = "${pkgs.systemd}/bin/loginctl lock-sessions"; + }; + }; }; config = lib.mkIf cfg.enable { environment.systemPackages = [ pkgs.yubikey-manager pkgs.yubikey-personalization ]; - security.pam.u2f = { - enable = true; - control = "required"; - cue = lib.mkDefault true; - }; + security.pam = + if cfg.serial == null then + { + u2f = { + enable = true; + inherit control; + cue = lib.mkDefault true; + }; - services.udev.packages = [ pkgs.yubikey-personalization ]; - security.pam.services = { - login.u2fAuth = true; - sudo.u2fAuth = true; - }; - services.pcscd.enable = true; + services = { + login.u2fAuth = lib.mkDefault true; + sudo.u2fAuth = lib.mkDefault true; + }; + } + else + { + yubico = { + enable = true; + inherit control; + mode = "challenge-response"; + id = [ cfg.serial ]; + }; + }; - services.udev.extraRules = lib.mkIf config.programs.xss-lock.enable '' - ACTION=="remove",\ - ENV{DEVTYPE}=="usb_device",\ - ENV{PRODUCT}=="1050/402/543",\ - RUN+="${pkgs.systemd}/bin/loginctl lock-sessions" - ''; + services.pcscd.enable = cfg.serial != null; + + services.udev = { + packages = [ pkgs.yubikey-personalization ]; + extraRules = lib.mkIf cfg.unplug.enable '' + ACTION=="remove",\ + ENV{DEVTYPE}=="usb_device",\ + ENV{PRODUCT}=="1050/${cfg.unplug.model}/543",\ + RUN+="${cfg.unplug.command}" + ''; + }; }; }